Request
Bump the default gh-aw-firewall (AWF) version from v0.27.10 → v0.27.11 and regenerate the pinned workflow artifacts.
Release: https://github.com/github/gh-aw-firewall/releases/tag/v0.27.11
Full changelog: github/gh-aw-firewall@v0.27.10...v0.27.11
Why
v0.27.11 ships the two network-isolation (sandbox.agent.sudo: false) rollout fixes that block sudo: false workflows on standard runners:
These directly unblock sudo: false workflows (e.g. the glossary-maintainer revert in #41426), plus assorted refactors/test-coverage improvements listed in the release notes.
Changes required
- Update the default version constant —
pkg/constants/version_constants.go:76:
const DefaultFirewallVersion Version = "v0.27.11"
- Run the documented rebuild + double-recompile (per the warning comment at
version_constants.go:70-75):
make build && make recompile && make recompile
The first recompile regenerates all *.lock.yml using the new version; the second refreshes the container SHA pins resolved during the first pass.
- Refresh
.github/aw/actions-lock.json — the recompile resolves the new agent/api-proxy/squid:0.27.11 pinned image digests (replacing the 0.27.10 entries around lines 245/325/470).
- Add a changeset —
.changeset/patch-bump-awf-v0-27-11.md, matching the existing pattern:
---
"gh-aw": patch
---
Bump the default gh-aw-firewall version to v0.27.11 and regenerate pinned workflow artifacts.
Note: this is a firewall-only bump — DefaultGitHubMCPServerVersion / gh-aw-mcpg are unchanged unless a coupled bump is intended.
Acceptance criteria
DefaultFirewallVersion == "v0.27.11".
- All regenerated
*.lock.yml reference gh-aw-firewall/{agent,api-proxy,squid}:0.27.11 with refreshed SHA pins.
.github/aw/actions-lock.json contains 0.27.11 pinned-image digests.
- Changeset added.
make build and the test suite pass.
Request
Bump the default
gh-aw-firewall(AWF) version fromv0.27.10→v0.27.11and regenerate the pinned workflow artifacts.Release: https://github.com/github/gh-aw-firewall/releases/tag/v0.27.11
Full changelog: github/gh-aw-firewall@v0.27.10...v0.27.11
Why
v0.27.11ships the two network-isolation (sandbox.agent.sudo: false) rollout fixes that blocksudo: falseworkflows on standard runners:awf-cli-proxycould never become healthy because the external DIFC-proxy/MCP-gateway peers were only attached toawf-netafter startup had already gated on that sidecar's health (getaddrinfo EAI_AGAIN awmg-cli-proxy→ "firewall failed to start, agent never invoked"). Fixed in fix(network-isolation): break topology-attach ordering deadlock starving cli-proxy health gate gh-aw-firewall#5544.EACCESonupload-artifactonce thesudo chmodworkaround was removed. Fixed in Fix rootless firewall artifact permissions to prevent EACCES on upload gh-aw-firewall#5546.These directly unblock
sudo: falseworkflows (e.g. theglossary-maintainerrevert in #41426), plus assorted refactors/test-coverage improvements listed in the release notes.Changes required
pkg/constants/version_constants.go:76:version_constants.go:70-75):*.lock.ymlusing the new version; the second refreshes the container SHA pins resolved during the first pass..github/aw/actions-lock.json— the recompile resolves the newagent/api-proxy/squid:0.27.11pinned image digests (replacing the0.27.10entries around lines 245/325/470)..changeset/patch-bump-awf-v0-27-11.md, matching the existing pattern:Acceptance criteria
DefaultFirewallVersion == "v0.27.11".*.lock.ymlreferencegh-aw-firewall/{agent,api-proxy,squid}:0.27.11with refreshed SHA pins..github/aw/actions-lock.jsoncontains0.27.11pinned-image digests.make buildand the test suite pass.